From cf1971b6419a502140df4d4ee89d18624f781c86 Mon Sep 17 00:00:00 2001 From: Thomas Ferrandiz Date: Fri, 8 Mar 2024 16:16:40 +0000 Subject: [PATCH 1/3] remove multiClusterCidr related-code. The feature was removed in Kubernetes upstream so we don't need it currently. --- Documentation/kube-flannel.yml | 7 - go.mod | 2 +- main.go | 36 ++--- pkg/backend/ipip/ipip.go | 7 +- pkg/backend/udp/udp_amd64.go | 6 +- pkg/backend/vxlan/vxlan.go | 12 +- pkg/backend/wireguard/wireguard.go | 14 +- pkg/backend/wireguard/wireguard_network.go | 32 ++--- pkg/subnet/config.go | 124 ---------------- pkg/subnet/config_test.go | 22 --- pkg/subnet/kube/kube.go | 12 +- pkg/subnet/subnet.go | 13 +- pkg/trafficmngr/iptables/iptables.go | 142 +++++++------------ pkg/trafficmngr/iptables/iptables_test.go | 9 +- pkg/trafficmngr/iptables/iptables_windows.go | 6 +- pkg/trafficmngr/nftables/nftables.go | 6 +- pkg/trafficmngr/nftables/nftables_windows.go | 6 +- pkg/trafficmngr/trafficmngr.go | 6 +- 18 files changed, 93 insertions(+), 369 deletions(-) diff --git a/Documentation/kube-flannel.yml b/Documentation/kube-flannel.yml index be0266e28c..0f69d32a0b 100644 --- a/Documentation/kube-flannel.yml +++ b/Documentation/kube-flannel.yml @@ -34,13 +34,6 @@ rules: - nodes/status verbs: - patch -- apiGroups: - - networking.k8s.io - resources: - - clustercidrs - verbs: - - list - - watch --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 diff --git a/go.mod b/go.mod index c134034cdf..3bbe08aec7 100644 --- a/go.mod +++ b/go.mod @@ -128,7 +128,7 @@ require ( gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 // indirect - k8s.io/utils v0.0.0-20230220204549-a5ecb0141aa5 + k8s.io/utils v0.0.0-20221107191617-1a15be271d1d // indirect sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect sigs.k8s.io/yaml v1.3.0 // indirect ) diff --git a/main.go b/main.go index 64e4bef1d7..019b995a5d 100644 --- a/main.go +++ b/main.go @@ -346,39 +346,19 @@ func main() { os.Exit(1) } - flannelIPv4Net := ip.IP4Net{} - flannelIpv6Net := ip.IP6Net{} - if config.EnableIPv4 { - flannelIPv4Net, err = config.GetFlannelNetwork(&bn.Lease().Subnet) - if err != nil { - log.Error(err) - cancel() - wg.Wait() - os.Exit(1) - } - } - if config.EnableIPv6 { - flannelIpv6Net, err = config.GetFlannelIPv6Network(&bn.Lease().IPv6Subnet) - if err != nil { - log.Error(err) - cancel() - wg.Wait() - os.Exit(1) - } - } // Set up ipMasq if needed if opts.ipMasq { - prevNetworks := ReadCIDRsFromSubnetFile(opts.subnetFile, "FLANNEL_NETWORK") + prevNetwork := ReadCIDRFromSubnetFile(opts.subnetFile, "FLANNEL_NETWORK") prevSubnet := ReadCIDRFromSubnetFile(opts.subnetFile, "FLANNEL_SUBNET") - prevIPv6Networks := ReadIP6CIDRsFromSubnetFile(opts.subnetFile, "FLANNEL_IPV6_NETWORK") + prevIPv6Network := ReadIP6CIDRFromSubnetFile(opts.subnetFile, "FLANNEL_IPV6_NETWORK") prevIPv6Subnet := ReadIP6CIDRFromSubnetFile(opts.subnetFile, "FLANNEL_IPV6_SUBNET") err = trafficMngr.SetupAndEnsureMasqRules(ctx, - flannelIPv4Net, prevSubnet, - prevNetworks, - flannelIpv6Net, prevIPv6Subnet, - prevIPv6Networks, + config.Network, prevSubnet, + prevNetwork, + config.IPv6Network, prevIPv6Subnet, + prevIPv6Network, bn.Lease(), opts.iptablesResyncSeconds) if err != nil { @@ -394,8 +374,8 @@ func main() { // In Docker 1.13 and later, Docker sets the default policy of the FORWARD chain to DROP. if opts.iptablesForwardRules { trafficMngr.SetupAndEnsureForwardRules(ctx, - flannelIPv4Net, - flannelIpv6Net, + config.Network, + config.IPv6Network, opts.iptablesResyncSeconds) } diff --git a/pkg/backend/ipip/ipip.go b/pkg/backend/ipip/ipip.go index abe845f0b3..c07960e5da 100644 --- a/pkg/backend/ipip/ipip.go +++ b/pkg/backend/ipip/ipip.go @@ -90,12 +90,7 @@ func (be *IPIPBackend) RegisterNetwork(ctx context.Context, wg *sync.WaitGroup, return nil, fmt.Errorf("failed to acquire lease: %v", err) } - net, err := config.GetFlannelNetwork(&n.SubnetLease.Subnet) - if err != nil { - return nil, err - } - - link, err := be.configureIPIPDevice(n.SubnetLease, net) + link, err := be.configureIPIPDevice(n.SubnetLease, config.Network) if err != nil { return nil, err diff --git a/pkg/backend/udp/udp_amd64.go b/pkg/backend/udp/udp_amd64.go index 79bc08a0fd..246bca78ae 100644 --- a/pkg/backend/udp/udp_amd64.go +++ b/pkg/backend/udp/udp_amd64.go @@ -79,15 +79,11 @@ func (be *UdpBackend) RegisterNetwork(ctx context.Context, wg *sync.WaitGroup, c return nil, fmt.Errorf("failed to acquire lease: %v", err) } - net, err := config.GetFlannelNetwork(&l.Subnet) - if err != nil { - return nil, err - } // Tunnel's subnet is that of the whole overlay network (e.g. /16) // and not that of the individual host (e.g. /24) tunNet := ip.IP4Net{ IP: l.Subnet.IP, - PrefixLen: net.PrefixLen, + PrefixLen: config.Network.PrefixLen, } return newNetwork(be.sm, be.extIface, cfg.Port, tunNet, l) diff --git a/pkg/backend/vxlan/vxlan.go b/pkg/backend/vxlan/vxlan.go index b09b9c9a13..7fb9d2a842 100644 --- a/pkg/backend/vxlan/vxlan.go +++ b/pkg/backend/vxlan/vxlan.go @@ -211,20 +211,12 @@ func (be *VXLANBackend) RegisterNetwork(ctx context.Context, wg *sync.WaitGroup, // This IP is just used as a source address for host to workload traffic (so // the return path for the traffic has an address on the flannel network to use as the destination) if config.EnableIPv4 { - net, err := config.GetFlannelNetwork(&lease.Subnet) - if err != nil { - return nil, err - } - if err := dev.Configure(ip.IP4Net{IP: lease.Subnet.IP, PrefixLen: 32}, net); err != nil { + if err := dev.Configure(ip.IP4Net{IP: lease.Subnet.IP, PrefixLen: 32}, config.Network); err != nil { return nil, fmt.Errorf("failed to configure interface %s: %w", dev.link.Attrs().Name, err) } } if config.EnableIPv6 { - net, err := config.GetFlannelIPv6Network(&lease.IPv6Subnet) - if err != nil { - return nil, err - } - if err := v6Dev.ConfigureIPv6(ip.IP6Net{IP: lease.IPv6Subnet.IP, PrefixLen: 128}, net); err != nil { + if err := v6Dev.ConfigureIPv6(ip.IP6Net{IP: lease.IPv6Subnet.IP, PrefixLen: 128}, config.IPv6Network); err != nil { return nil, fmt.Errorf("failed to configure interface %s: %w", v6Dev.link.Attrs().Name, err) } } diff --git a/pkg/backend/wireguard/wireguard.go b/pkg/backend/wireguard/wireguard.go index 7e63c447b7..36b8b02adf 100644 --- a/pkg/backend/wireguard/wireguard.go +++ b/pkg/backend/wireguard/wireguard.go @@ -171,25 +171,17 @@ func (be *WireguardBackend) RegisterNetwork(ctx context.Context, wg *sync.WaitGr } if config.EnableIPv4 { - net, err := config.GetFlannelNetwork(&lease.Subnet) - if err != nil { - return nil, err - } - err = dev.Configure(lease.Subnet.IP, net) + err = dev.Configure(lease.Subnet.IP, config.Network) if err != nil { return nil, err } } if config.EnableIPv6 { - ipv6net, err := config.GetFlannelIPv6Network(&lease.IPv6Subnet) - if err != nil { - return nil, err - } if cfg.Mode == Separate { - err = v6Dev.ConfigureV6(lease.IPv6Subnet.IP, ipv6net) + err = v6Dev.ConfigureV6(lease.IPv6Subnet.IP, config.IPv6Network) } else { - err = dev.ConfigureV6(lease.IPv6Subnet.IP, ipv6net) + err = dev.ConfigureV6(lease.IPv6Subnet.IP, config.IPv6Network) } if err != nil { return nil, err diff --git a/pkg/backend/wireguard/wireguard_network.go b/pkg/backend/wireguard/wireguard_network.go index b4083a68bf..36ed46b2c7 100644 --- a/pkg/backend/wireguard/wireguard_network.go +++ b/pkg/backend/wireguard/wireguard_network.go @@ -183,13 +183,9 @@ func (n *network) handleSubnetEvents(ctx context.Context, batch []lease.Event) { if err != nil { log.Errorf("could not read network config: %v", err) } - flannelnet, err := netconf.GetFlannelNetwork(&event.Lease.Subnet) - if err != nil { - log.Errorf("could not get flannel network: %v", err) - } - if err := n.dev.addRoute(flannelnet.ToIPNet()); err != nil { - log.Errorf("failed to add ipv4 route to (%s): %v", flannelnet, err) + if err := n.dev.addRoute(netconf.Network.ToIPNet()); err != nil { + log.Errorf("failed to add ipv4 route to (%s): %v", netconf.Network, err) } } @@ -206,13 +202,9 @@ func (n *network) handleSubnetEvents(ctx context.Context, batch []lease.Event) { if err != nil { log.Errorf("could not read network config: %v", err) } - ipv6flannelnet, err := netconf.GetFlannelIPv6Network(&event.Lease.IPv6Subnet) - if err != nil { - log.Errorf("could not get flannel network: %v", err) - } - if err := n.v6Dev.addRoute(ipv6flannelnet.ToIPNet()); err != nil { - log.Errorf("failed to add ipv6 route to (%s): %v", ipv6flannelnet, err) + if err := n.v6Dev.addRoute(netconf.IPv6Network.ToIPNet()); err != nil { + log.Errorf("failed to add ipv6 route to (%s): %v", netconf.IPv6Network, err) } } } else { @@ -242,21 +234,13 @@ func (n *network) handleSubnetEvents(ctx context.Context, batch []lease.Event) { if err != nil { log.Errorf("could not read network config: %v", err) } - flannelnet, err := netconf.GetFlannelNetwork(&event.Lease.Subnet) - if err != nil { - log.Errorf("could not get flannel network: %v", err) - } - if err := n.dev.addRoute(flannelnet.ToIPNet()); err != nil { - log.Errorf("failed to add ipv4 route to (%s): %v", flannelnet, err) - } - ipv6flannelnet, err := netconf.GetFlannelIPv6Network(&event.Lease.IPv6Subnet) - if err != nil { - log.Errorf("could not get flannel network: %v", err) + if err := n.dev.addRoute(netconf.Network.ToIPNet()); err != nil { + log.Errorf("failed to add ipv4 route to (%s): %v", netconf.Network, err) } - if err := n.dev.addRoute(ipv6flannelnet.ToIPNet()); err != nil { - log.Errorf("failed to add ipv6 route to (%s): %v", ipv6flannelnet, err) + if err := n.dev.addRoute(netconf.IPv6Network.ToIPNet()); err != nil { + log.Errorf("failed to add ipv6 route to (%s): %v", netconf.IPv6Network, err) } } diff --git a/pkg/subnet/config.go b/pkg/subnet/config.go index b7a1afe270..d5bce028df 100644 --- a/pkg/subnet/config.go +++ b/pkg/subnet/config.go @@ -19,11 +19,8 @@ import ( "errors" "fmt" "math/big" - "net" "github.com/flannel-io/flannel/pkg/ip" - "k8s.io/klog/v2" - netutils "k8s.io/utils/net" ) type Config struct { @@ -32,8 +29,6 @@ type Config struct { EnableNFTables bool Network ip.IP4Net IPv6Network ip.IP6Net - Networks []ip.IP4Net - IPv6Networks []ip.IP6Net SubnetMin ip.IP4 SubnetMax ip.IP4 IPv6SubnetMin *ip.IP6 @@ -73,9 +68,6 @@ func ParseConfig(s string) (*Config, error) { } cfg.BackendType = bt - cfg.Networks = make([]ip.IP4Net, 0) - cfg.IPv6Networks = make([]ip.IP6Net, 0) - return cfg, nil } @@ -204,119 +196,3 @@ func CheckNetworkConfig(config *Config) error { } return nil } - -// GetFlannelNetwork returns the relevant IPv4 network (i.e. clusterCIDR) for subnet sn -// If Networks is not empty, GetFlannelNetwork returns the first networks that contains subnet sn. -// If Networks is empty, this means we are not using the MultiClusterCIDR API -// so GetFlannelNetwork falls back to the standard behavior and returns the single Network entry -func (c *Config) GetFlannelNetwork(sn *ip.IP4Net) (ip.IP4Net, error) { - if c.HasNetworks() { - for _, net := range c.Networks { - if net.ContainsCIDR(sn) { - return net, nil - } - } - return ip.IP4Net{}, fmt.Errorf("could not find flannel networks matching subnet %s", sn) - } else { - emptyNet := ip.IP4Net{} - if c.Network != emptyNet { - return c.Network, nil - } else { - return emptyNet, fmt.Errorf("could not find an ipv4 network in the flannel configuration") - } - } -} - -// GetFlannelIPv6Network returns the relevant IPv6 network (i.e. clusterCIDR) for subnet sn -// If Networks is not empty, GetFlannelIPv6Network returns the first networks that contains subnet sn. -// If Networks is empty, this means we are not using the MultiClusterCIDR API -// so GetFlannelIPv6Network falls back to the standard behavior and returns the single IPv6Network entry -func (c *Config) GetFlannelIPv6Network(sn *ip.IP6Net) (ip.IP6Net, error) { - if c.HasIPv6Networks() { - for _, net := range c.IPv6Networks { - if net.ContainsCIDR(sn) { - return net, nil - } - } - return ip.IP6Net{}, fmt.Errorf("could not find flannel ipv6 networks matching subnet %s", sn) - } else { - emptyNet := ip.IP6Net{} - if c.IPv6Network != emptyNet { - return c.IPv6Network, nil - } else { - return emptyNet, fmt.Errorf("could not find an ipv6 network in the flannel configuration") - } - - } -} - -// AddNetwork adds net to either c.Networks or c.IPv6Networks depending on its type -func (c *Config) AddNetwork(net *net.IPNet) { - if netutils.IsIPv4CIDR(net) { - ip4net := ip.FromIPNet(net) - if !c.containsIPv4Network(ip4net) { - c.Networks = append(c.Networks, ip4net) - } - } else if netutils.IsIPv6CIDR(net) { - ip6net := ip.FromIP6Net(net) - if !c.containsIPv6Network(ip6net) { - c.IPv6Networks = append(c.IPv6Networks, ip6net) - } - } else { - klog.Warningf("cannot add unknown CIDR to config: %s", net) - } -} - -func (c *Config) containsIPv4Network(net ip.IP4Net) bool { - for _, ip4net := range c.Networks { - if net.Equal(ip4net) { - return true - } - } - return false -} - -func (c *Config) containsIPv6Network(net ip.IP6Net) bool { - for _, ip6net := range c.IPv6Networks { - if net.Equal(ip6net) { - return true - } - } - return false -} - -// HasNetworks returns true if there is at least 1 IPv4 network in the flannel config, -// false otherwise -func (c *Config) HasNetworks() bool { - if c.Networks != nil { - return len(c.Networks) > 0 - } else { - return false - } -} - -// HasIPv6Networks returns true if there is at least 1 IPv6 network in the flannel config, -// false otherwise -func (c *Config) HasIPv6Networks() bool { - if c.IPv6Networks != nil { - return len(c.IPv6Networks) > 0 - } else { - return false - } -} - -func (c *Config) GetNetworks() []ip.IP4Net { - if len(c.Networks) > 0 { - return c.Networks - } else { - return []ip.IP4Net{c.Network} - } -} - -func (c *Config) GeIPv6tNetworks() []ip.IP6Net { - if len(c.Networks) > 0 { - return c.IPv6Networks - } else { - return []ip.IP6Net{c.IPv6Network} - } -} diff --git a/pkg/subnet/config_test.go b/pkg/subnet/config_test.go index 66adbe4b0c..7e5f7422d7 100644 --- a/pkg/subnet/config_test.go +++ b/pkg/subnet/config_test.go @@ -15,7 +15,6 @@ package subnet import ( - "net" "testing" ) @@ -130,24 +129,3 @@ func TestIPv6ConfigOverrides(t *testing.T) { t.Errorf("IPv6SubnetLen mismatch: expected 124, got %d", cfg.IPv6SubnetLen) } } - -func TestIPv6ConfigNetworks(t *testing.T) { - s := `{ "EnableIPv6": true, "IPv6Network": "fc00::/48", "enableIPv4": false }` - - cfg, err := ParseConfig(s) - if err != nil { - t.Fatalf("ParseConfig failed: %s", err) - } - ipv6 := net.ParseIP("fc00::") - - cfg.AddNetwork(&net.IPNet{IP: ipv6, Mask: net.CIDRMask(48, 128)}) - if len(cfg.IPv6Networks) >= 2 { - t.Fatalf("too many elements in IPv6Networks: %s", cfg.IPv6Networks) - } - ipv6 = net.ParseIP("fc01::") - - cfg.AddNetwork(&net.IPNet{IP: ipv6, Mask: net.CIDRMask(48, 128)}) - if len(cfg.IPv6Networks) != 2 { - t.Fatalf("IPv6 network not added properly to IPv6Networks: %s", cfg.IPv6Networks) - } -} diff --git a/pkg/subnet/kube/kube.go b/pkg/subnet/kube/kube.go index 0e1e87261f..8b2076189c 100644 --- a/pkg/subnet/kube/kube.go +++ b/pkg/subnet/kube/kube.go @@ -408,27 +408,21 @@ func (ksm *kubeSubnetManager) AcquireLease(ctx context.Context, attrs *lease.Lea Expiration: time.Now().Add(24 * time.Hour), } if cidr != nil && ksm.enableIPv4 { - ipnet := ip.FromIPNet(cidr) - net, err := ksm.subnetConf.GetFlannelNetwork(&ipnet) if err != nil { return nil, err } - // this check is still needed when we use the flannel configuration and not the MultiClusterCIDR API - if !containsCIDR(net.ToIPNet(), cidr) { + if !containsCIDR(ksm.subnetConf.Network.ToIPNet(), cidr) { return nil, fmt.Errorf("subnet %q specified in the flannel net config doesn't contain %q PodCIDR of the %q node", ksm.subnetConf.Network, cidr, ksm.nodeName) } lease.Subnet = ip.FromIPNet(cidr) } if ipv6Cidr != nil { - ip6net := ip.FromIP6Net(ipv6Cidr) - net, err := ksm.subnetConf.GetFlannelIPv6Network(&ip6net) if err != nil { return nil, err } - // this check is still needed when we use the flannel configuration and not the MultiClusterCIDR API - if !containsCIDR(net.ToIPNet(), ipv6Cidr) { - return nil, fmt.Errorf("subnet %q specified in the flannel net config doesn't contain %q IPv6 PodCIDR of the %q node", net, ipv6Cidr, ksm.nodeName) + if !containsCIDR(ksm.subnetConf.IPv6Network.ToIPNet(), ipv6Cidr) { + return nil, fmt.Errorf("subnet %q specified in the flannel net config doesn't contain %q IPv6 PodCIDR of the %q node", ksm.subnetConf.IPv6Network, ipv6Cidr, ksm.nodeName) } lease.IPv6Subnet = ip.FromIP6Net(ipv6Cidr) diff --git a/pkg/subnet/subnet.go b/pkg/subnet/subnet.go index 0de2733223..d73c6137a1 100644 --- a/pkg/subnet/subnet.go +++ b/pkg/subnet/subnet.go @@ -21,7 +21,6 @@ import ( "path/filepath" "regexp" "strconv" - "strings" "sync" "github.com/flannel-io/flannel/pkg/ip" @@ -80,22 +79,14 @@ func WriteSubnetFile(path string, config *Config, ipMasq bool, sn ip.IP4Net, ipv return err } if config.EnableIPv4 { - if config.HasNetworks() { - fmt.Fprintf(f, "FLANNEL_NETWORK=%s\n", strings.Join(ip.MapIP4ToString(config.Networks), ",")) - } else { - fmt.Fprintf(f, "FLANNEL_NETWORK=%s\n", config.Network) - } + fmt.Fprintf(f, "FLANNEL_NETWORK=%s\n", config.Network) // Write out the first usable IP by incrementing sn.IP by one sn.IncrementIP() fmt.Fprintf(f, "FLANNEL_SUBNET=%s\n", sn) } if config.EnableIPv6 { - if config.HasIPv6Networks() { - fmt.Fprintf(f, "FLANNEL_IPV6_NETWORK=%s\n", strings.Join(ip.MapIP6ToString(config.IPv6Networks), ",")) - } else { - fmt.Fprintf(f, "FLANNEL_IPV6_NETWORK=%s\n", config.IPv6Network) - } + fmt.Fprintf(f, "FLANNEL_IPV6_NETWORK=%s\n", config.IPv6Network) // Write out the first usable IP by incrementing ip6Sn.IP by one ipv6sn.IncrementIP() fmt.Fprintf(f, "FLANNEL_IPV6_SUBNET=%s\n", ipv6sn) diff --git a/pkg/trafficmngr/iptables/iptables.go b/pkg/trafficmngr/iptables/iptables.go index 8126940d4d..c6688302ce 100644 --- a/pkg/trafficmngr/iptables/iptables.go +++ b/pkg/trafficmngr/iptables/iptables.go @@ -102,10 +102,8 @@ func (iptm *IPTablesManager) cleanUp() error { return nil } -func (iptm *IPTablesManager) SetupAndEnsureMasqRules(ctx context.Context, flannelIPv4Net, prevSubnet ip.IP4Net, - prevNetworks []ip.IP4Net, - flannelIPv6Net, prevIPv6Subnet ip.IP6Net, - prevIPv6Networks []ip.IP6Net, +func (iptm *IPTablesManager) SetupAndEnsureMasqRules(ctx context.Context, flannelIPv4Net, prevSubnet, prevNetwork ip.IP4Net, + flannelIPv6Net, prevIPv6Subnet, prevIPv6Network ip.IP6Net, currentlease *lease.Lease, resyncPeriod int) error { @@ -125,18 +123,14 @@ func (iptm *IPTablesManager) SetupAndEnsureMasqRules(ctx context.Context, flanne newLease := &lease.Lease{ Subnet: prevSubnet, } - if err := iptm.deleteIP4Tables(iptm.masqRules(prevNetworks, newLease)); err != nil { + if err := iptm.deleteIP4Tables(iptm.masqRules(prevNetwork, newLease)); err != nil { return err } } log.Infof("Setting up masking rules") iptm.CreateIP4Chain("nat", "FLANNEL-POSTRTG") - //Note: doesn't work for multiple networks but we disabled MultiClusterCIDR anyway - getRules := func() []trafficmngr.IPTablesRule { - return iptm.masqRules([]ip.IP4Net{flannelIPv4Net}, currentlease) - } - go iptm.setupAndEnsureIP4Tables(ctx, getRules, resyncPeriod) + go iptm.setupAndEnsureIP4Tables(ctx, iptm.masqRules(flannelIPv4Net, currentlease), resyncPeriod) } if !flannelIPv6Net.Empty() { //Find the cidr in FLANNEL_IPV6_NETWORK which contains the podCIDR (i.e. FLANNEL_IPV6_SUBNET) of this node @@ -154,23 +148,21 @@ func (iptm *IPTablesManager) SetupAndEnsureMasqRules(ctx context.Context, flanne newLease := &lease.Lease{ IPv6Subnet: prevIPv6Subnet, } - if err := iptm.deleteIP6Tables(iptm.masqIP6Rules(prevIPv6Networks, newLease)); err != nil { + if err := iptm.deleteIP6Tables(iptm.masqIP6Rules(prevIPv6Network, newLease)); err != nil { return err } } log.Infof("Setting up masking rules for IPv6") iptm.CreateIP6Chain("nat", "FLANNEL-POSTRTG") - //Note: doesn't work for multiple networks but we disabled MultiClusterCIDR anyway - getRules := func() []trafficmngr.IPTablesRule { - return iptm.masqIP6Rules([]ip.IP6Net{flannelIPv6Net}, currentlease) - } - go iptm.setupAndEnsureIP6Tables(ctx, getRules, resyncPeriod) + go iptm.setupAndEnsureIP6Tables(ctx, iptm.masqIP6Rules(flannelIPv6Net, currentlease), resyncPeriod) } return nil } -func (iptm *IPTablesManager) masqRules(cluster_cidrs []ip.IP4Net, lease *lease.Lease) []trafficmngr.IPTablesRule { +func (iptm *IPTablesManager) masqRules(ccidr ip.IP4Net, lease *lease.Lease) []trafficmngr.IPTablesRule { + cluster_cidr := ccidr.String() + pod_cidr := lease.Subnet.String() ipt, err := iptables.New() supports_random_fully := false @@ -182,41 +174,30 @@ func (iptm *IPTablesManager) masqRules(cluster_cidrs []ip.IP4Net, lease *lease.L rules[0] = trafficmngr.IPTablesRule{Table: "nat", Action: "-A", Chain: "POSTROUTING", Rulespec: []string{"-m", "comment", "--comment", "flanneld masq", "-j", "FLANNEL-POSTRTG"}} // This rule will not masquerade traffic marked by the kube-proxy to avoid double NAT bug on some kernel version rules[1] = trafficmngr.IPTablesRule{Table: "nat", Action: "-A", Chain: "FLANNEL-POSTRTG", Rulespec: []string{"-m", "mark", "--mark", trafficmngr.KubeProxyMark, "-m", "comment", "--comment", "flanneld masq", "-j", "RETURN"}} - for _, ccidr := range cluster_cidrs { - cluster_cidr := ccidr.String() - // This rule makes sure we don't NAT traffic within overlay network (e.g. coming out of docker0), for any of the cluster_cidrs - rules = append(rules, - trafficmngr.IPTablesRule{Table: "nat", Action: "-A", Chain: "FLANNEL-POSTRTG", Rulespec: []string{"-s", pod_cidr, "-d", cluster_cidr, "-m", "comment", "--comment", "flanneld masq", "-j", "RETURN"}}, - trafficmngr.IPTablesRule{Table: "nat", Action: "-A", Chain: "FLANNEL-POSTRTG", Rulespec: []string{"-s", cluster_cidr, "-d", pod_cidr, "-m", "comment", "--comment", "flanneld masq", "-j", "RETURN"}}, - ) - } - for _, ccidr := range cluster_cidrs { - cluster_cidr := ccidr.String() - // Prevent performing Masquerade on external traffic which arrives from a Node that owns the container/pod IP address - rules = append(rules, trafficmngr.IPTablesRule{Table: "nat", Action: "-A", Chain: "FLANNEL-POSTRTG", Rulespec: []string{"!", "-s", cluster_cidr, "-d", pod_cidr, "-m", "comment", "--comment", "flanneld masq", "-j", "RETURN"}}) - } - for _, ccidr := range cluster_cidrs { - cluster_cidr := ccidr.String() - // NAT if it's not multicast traffic - if supports_random_fully { - rules = append(rules, trafficmngr.IPTablesRule{Table: "nat", Action: "-A", Chain: "FLANNEL-POSTRTG", Rulespec: []string{"-s", cluster_cidr, "!", "-d", "224.0.0.0/4", "-m", "comment", "--comment", "flanneld masq", "-j", "MASQUERADE", "--random-fully"}}) - } else { - rules = append(rules, trafficmngr.IPTablesRule{Table: "nat", Action: "-A", Chain: "FLANNEL-POSTRTG", Rulespec: []string{"-s", cluster_cidr, "!", "-d", "224.0.0.0/4", "-m", "comment", "--comment", "flanneld masq", "-j", "MASQUERADE"}}) - } - } - for _, ccidr := range cluster_cidrs { - cluster_cidr := ccidr.String() - // Masquerade anything headed towards flannel from the host - if supports_random_fully { - rules = append(rules, trafficmngr.IPTablesRule{Table: "nat", Action: "-A", Chain: "FLANNEL-POSTRTG", Rulespec: []string{"!", "-s", cluster_cidr, "-d", cluster_cidr, "-m", "comment", "--comment", "flanneld masq", "-j", "MASQUERADE", "--random-fully"}}) - } else { - rules = append(rules, trafficmngr.IPTablesRule{Table: "nat", Action: "-A", Chain: "FLANNEL-POSTRTG", Rulespec: []string{"!", "-s", cluster_cidr, "-d", cluster_cidr, "-m", "comment", "--comment", "flanneld masq", "-j", "MASQUERADE"}}) - } + // This rule makes sure we don't NAT traffic within overlay network (e.g. coming out of docker0), for any of the cluster_cidrs + rules = append(rules, + trafficmngr.IPTablesRule{Table: "nat", Action: "-A", Chain: "FLANNEL-POSTRTG", Rulespec: []string{"-s", pod_cidr, "-d", cluster_cidr, "-m", "comment", "--comment", "flanneld masq", "-j", "RETURN"}}, + trafficmngr.IPTablesRule{Table: "nat", Action: "-A", Chain: "FLANNEL-POSTRTG", Rulespec: []string{"-s", cluster_cidr, "-d", pod_cidr, "-m", "comment", "--comment", "flanneld masq", "-j", "RETURN"}}, + ) + // Prevent performing Masquerade on external traffic which arrives from a Node that owns the container/pod IP address + rules = append(rules, trafficmngr.IPTablesRule{Table: "nat", Action: "-A", Chain: "FLANNEL-POSTRTG", Rulespec: []string{"!", "-s", cluster_cidr, "-d", pod_cidr, "-m", "comment", "--comment", "flanneld masq", "-j", "RETURN"}}) + // NAT if it's not multicast traffic + if supports_random_fully { + rules = append(rules, trafficmngr.IPTablesRule{Table: "nat", Action: "-A", Chain: "FLANNEL-POSTRTG", Rulespec: []string{"-s", cluster_cidr, "!", "-d", "224.0.0.0/4", "-m", "comment", "--comment", "flanneld masq", "-j", "MASQUERADE", "--random-fully"}}) + } else { + rules = append(rules, trafficmngr.IPTablesRule{Table: "nat", Action: "-A", Chain: "FLANNEL-POSTRTG", Rulespec: []string{"-s", cluster_cidr, "!", "-d", "224.0.0.0/4", "-m", "comment", "--comment", "flanneld masq", "-j", "MASQUERADE"}}) + } + // Masquerade anything headed towards flannel from the host + if supports_random_fully { + rules = append(rules, trafficmngr.IPTablesRule{Table: "nat", Action: "-A", Chain: "FLANNEL-POSTRTG", Rulespec: []string{"!", "-s", cluster_cidr, "-d", cluster_cidr, "-m", "comment", "--comment", "flanneld masq", "-j", "MASQUERADE", "--random-fully"}}) + } else { + rules = append(rules, trafficmngr.IPTablesRule{Table: "nat", Action: "-A", Chain: "FLANNEL-POSTRTG", Rulespec: []string{"!", "-s", cluster_cidr, "-d", cluster_cidr, "-m", "comment", "--comment", "flanneld masq", "-j", "MASQUERADE"}}) } return rules } -func (iptm *IPTablesManager) masqIP6Rules(cluster_cidrs []ip.IP6Net, lease *lease.Lease) []trafficmngr.IPTablesRule { +func (iptm *IPTablesManager) masqIP6Rules(ccidr ip.IP6Net, lease *lease.Lease) []trafficmngr.IPTablesRule { + cluster_cidr := ccidr.String() pod_cidr := lease.IPv6Subnet.String() ipt, err := iptables.NewWithProtocol(iptables.ProtocolIPv6) supports_random_fully := false @@ -230,38 +211,25 @@ func (iptm *IPTablesManager) masqIP6Rules(cluster_cidrs []ip.IP6Net, lease *leas // This rule will not masquerade traffic marked by the kube-proxy to avoid double NAT bug on some kernel version rules[1] = trafficmngr.IPTablesRule{Table: "nat", Action: "-A", Chain: "FLANNEL-POSTRTG", Rulespec: []string{"-m", "mark", "--mark", trafficmngr.KubeProxyMark, "-m", "comment", "--comment", "flanneld masq", "-j", "RETURN"}} - for _, ccidr := range cluster_cidrs { - cluster_cidr := ccidr.String() - // This rule makes sure we don't NAT traffic within overlay network (e.g. coming out of docker0), for any of the cluster_cidrs - rules = append(rules, - trafficmngr.IPTablesRule{Table: "nat", Action: "-A", Chain: "FLANNEL-POSTRTG", Rulespec: []string{"-s", pod_cidr, "-d", cluster_cidr, "-m", "comment", "--comment", "flanneld masq", "-j", "RETURN"}}, - trafficmngr.IPTablesRule{Table: "nat", Action: "-A", Chain: "FLANNEL-POSTRTG", Rulespec: []string{"-s", cluster_cidr, "-d", pod_cidr, "-m", "comment", "--comment", "flanneld masq", "-j", "RETURN"}}, - ) - } - for _, ccidr := range cluster_cidrs { - cluster_cidr := ccidr.String() - // Prevent performing Masquerade on external traffic which arrives from a Node that owns the container/pod IP address - rules = append(rules, trafficmngr.IPTablesRule{Table: "nat", Action: "-A", Chain: "FLANNEL-POSTRTG", Rulespec: []string{"!", "-s", cluster_cidr, "-d", pod_cidr, "-m", "comment", "--comment", "flanneld masq", "-j", "RETURN"}}) - } - for _, ccidr := range cluster_cidrs { - cluster_cidr := ccidr.String() - // NAT if it's not multicast traffic - if supports_random_fully { - rules = append(rules, trafficmngr.IPTablesRule{Table: "nat", Action: "-A", Chain: "FLANNEL-POSTRTG", Rulespec: []string{"-s", cluster_cidr, "!", "-d", "ff00::/8", "-m", "comment", "--comment", "flanneld masq", "-j", "MASQUERADE", "--random-fully"}}) - } else { - rules = append(rules, trafficmngr.IPTablesRule{Table: "nat", Action: "-A", Chain: "FLANNEL-POSTRTG", Rulespec: []string{"-s", cluster_cidr, "!", "-d", "ff00::/8", "-m", "comment", "--comment", "flanneld masq", "-j", "MASQUERADE"}}) - } - + // This rule makes sure we don't NAT traffic within overlay network (e.g. coming out of docker0), for any of the cluster_cidrs + rules = append(rules, + trafficmngr.IPTablesRule{Table: "nat", Action: "-A", Chain: "FLANNEL-POSTRTG", Rulespec: []string{"-s", pod_cidr, "-d", cluster_cidr, "-m", "comment", "--comment", "flanneld masq", "-j", "RETURN"}}, + trafficmngr.IPTablesRule{Table: "nat", Action: "-A", Chain: "FLANNEL-POSTRTG", Rulespec: []string{"-s", cluster_cidr, "-d", pod_cidr, "-m", "comment", "--comment", "flanneld masq", "-j", "RETURN"}}, + ) + // Prevent performing Masquerade on external traffic which arrives from a Node that owns the container/pod IP address + rules = append(rules, trafficmngr.IPTablesRule{Table: "nat", Action: "-A", Chain: "FLANNEL-POSTRTG", Rulespec: []string{"!", "-s", cluster_cidr, "-d", pod_cidr, "-m", "comment", "--comment", "flanneld masq", "-j", "RETURN"}}) + // NAT if it's not multicast traffic + if supports_random_fully { + rules = append(rules, trafficmngr.IPTablesRule{Table: "nat", Action: "-A", Chain: "FLANNEL-POSTRTG", Rulespec: []string{"-s", cluster_cidr, "!", "-d", "ff00::/8", "-m", "comment", "--comment", "flanneld masq", "-j", "MASQUERADE", "--random-fully"}}) + } else { + rules = append(rules, trafficmngr.IPTablesRule{Table: "nat", Action: "-A", Chain: "FLANNEL-POSTRTG", Rulespec: []string{"-s", cluster_cidr, "!", "-d", "ff00::/8", "-m", "comment", "--comment", "flanneld masq", "-j", "MASQUERADE"}}) } - for _, ccidr := range cluster_cidrs { - cluster_cidr := ccidr.String() - // Masquerade anything headed towards flannel from the host - if supports_random_fully { - rules = append(rules, trafficmngr.IPTablesRule{Table: "nat", Action: "-A", Chain: "FLANNEL-POSTRTG", Rulespec: []string{"!", "-s", cluster_cidr, "-d", cluster_cidr, "-m", "comment", "--comment", "flanneld masq", "-j", "MASQUERADE", "--random-fully"}}) - } else { - rules = append(rules, trafficmngr.IPTablesRule{Table: "nat", Action: "-A", Chain: "FLANNEL-POSTRTG", Rulespec: []string{"!", "-s", cluster_cidr, "-d", cluster_cidr, "-m", "comment", "--comment", "flanneld masq", "-j", "MASQUERADE"}}) - } + // Masquerade anything headed towards flannel from the host + if supports_random_fully { + rules = append(rules, trafficmngr.IPTablesRule{Table: "nat", Action: "-A", Chain: "FLANNEL-POSTRTG", Rulespec: []string{"!", "-s", cluster_cidr, "-d", cluster_cidr, "-m", "comment", "--comment", "flanneld masq", "-j", "MASQUERADE", "--random-fully"}}) + } else { + rules = append(rules, trafficmngr.IPTablesRule{Table: "nat", Action: "-A", Chain: "FLANNEL-POSTRTG", Rulespec: []string{"!", "-s", cluster_cidr, "-d", cluster_cidr, "-m", "comment", "--comment", "flanneld masq", "-j", "MASQUERADE"}}) } return rules @@ -271,18 +239,12 @@ func (iptm *IPTablesManager) SetupAndEnsureForwardRules(ctx context.Context, fla if !flannelIPv4Network.Empty() { log.Infof("Changing default FORWARD chain policy to ACCEPT") iptm.CreateIP4Chain("filter", "FLANNEL-FWD") - getRules := func() []trafficmngr.IPTablesRule { - return iptm.forwardRules(flannelIPv4Network.String()) - } - go iptm.setupAndEnsureIP4Tables(ctx, getRules, resyncPeriod) + go iptm.setupAndEnsureIP4Tables(ctx, iptm.forwardRules(flannelIPv4Network.String()), resyncPeriod) } if !flannelIPv6Network.Empty() { log.Infof("IPv6: Changing default FORWARD chain policy to ACCEPT") iptm.CreateIP6Chain("filter", "FLANNEL-FWD") - getRules := func() []trafficmngr.IPTablesRule { - return iptm.forwardRules(flannelIPv6Network.String()) - } - go iptm.setupAndEnsureIP6Tables(ctx, getRules, resyncPeriod) + go iptm.setupAndEnsureIP6Tables(ctx, iptm.forwardRules(flannelIPv6Network.String()), resyncPeriod) } } @@ -426,8 +388,7 @@ func ipTablesBootstrap(ipt IPTables, iptRestore IPTablesRestore, rules []traffic return nil } -func (iptm *IPTablesManager) setupAndEnsureIP4Tables(ctx context.Context, getRules func() []trafficmngr.IPTablesRule, resyncPeriod int) { - rules := getRules() +func (iptm *IPTablesManager) setupAndEnsureIP4Tables(ctx context.Context, rules []trafficmngr.IPTablesRule, resyncPeriod int) { ipt, err := iptables.New() if err != nil { // if we can't find iptables, give up and return @@ -463,8 +424,7 @@ func (iptm *IPTablesManager) setupAndEnsureIP4Tables(ctx context.Context, getRul } } -func (iptm *IPTablesManager) setupAndEnsureIP6Tables(ctx context.Context, getRules func() []trafficmngr.IPTablesRule, resyncPeriod int) { - rules := getRules() +func (iptm *IPTablesManager) setupAndEnsureIP6Tables(ctx context.Context, rules []trafficmngr.IPTablesRule, resyncPeriod int) { ipt, err := iptables.NewWithProtocol(iptables.ProtocolIPv6) if err != nil { // if we can't find iptables, give up and return @@ -492,7 +452,7 @@ func (iptm *IPTablesManager) setupAndEnsureIP6Tables(ctx context.Context, getRul return case <-time.After(time.Duration(resyncPeriod) * time.Second): // Ensure that all the iptables rules exist every 5 seconds - if err := ensureIPTables(ipt, iptRestore, getRules()); err != nil { + if err := ensureIPTables(ipt, iptRestore, rules); err != nil { log.Errorf("Failed to ensure iptables rules: %v", err) } } diff --git a/pkg/trafficmngr/iptables/iptables_test.go b/pkg/trafficmngr/iptables/iptables_test.go index 132f7ec53e..ab98336c0e 100644 --- a/pkg/trafficmngr/iptables/iptables_test.go +++ b/pkg/trafficmngr/iptables/iptables_test.go @@ -121,10 +121,11 @@ func TestDeleteRules(t *testing.T) { ipt := &MockIPTables{t: t} iptr := &MockIPTablesRestore{t: t} iptm := IPTablesManager{} - baseRules := iptm.masqRules([]ip.IP4Net{{ - IP: ip.MustParseIP4("10.0.1.0"), - PrefixLen: 16, - }}, testingLease()) + baseRules := iptm.masqRules( + ip.IP4Net{ + IP: ip.MustParseIP4("10.0.1.0"), + PrefixLen: 16, + }, testingLease()) expectedRules := expectedTearDownIPTablesRestoreRules(baseRules) err := ipTablesBootstrap(ipt, iptr, baseRules) diff --git a/pkg/trafficmngr/iptables/iptables_windows.go b/pkg/trafficmngr/iptables/iptables_windows.go index 4d55415a06..82f8b0878a 100644 --- a/pkg/trafficmngr/iptables/iptables_windows.go +++ b/pkg/trafficmngr/iptables/iptables_windows.go @@ -42,10 +42,8 @@ func (iptm IPTablesManager) Init(ctx context.Context, wg *sync.WaitGroup) error func (iptm *IPTablesManager) SetupAndEnsureForwardRules(ctx context.Context, flannelIPv4Network ip.IP4Net, flannelIPv6Network ip.IP6Net, resyncPeriod int) { } -func (iptm *IPTablesManager) SetupAndEnsureMasqRules(ctx context.Context, flannelIPv4Net, prevSubnet ip.IP4Net, - prevNetworks []ip.IP4Net, - flannelIPv6Net, prevIPv6Subnet ip.IP6Net, - prevIPv6Networks []ip.IP6Net, +func (iptm *IPTablesManager) SetupAndEnsureMasqRules(ctx context.Context, flannelIPv4Net, prevSubnet, prevNetwork ip.IP4Net, + flannelIPv6Net, prevIPv6Subnet, prevIPv6Network ip.IP6Net, currentlease *lease.Lease, resyncPeriod int) error { log.Error(trafficmngr.ErrUnimplemented) diff --git a/pkg/trafficmngr/nftables/nftables.go b/pkg/trafficmngr/nftables/nftables.go index 921af97e1a..f5892afbb5 100644 --- a/pkg/trafficmngr/nftables/nftables.go +++ b/pkg/trafficmngr/nftables/nftables.go @@ -160,10 +160,8 @@ func (nftm *NFTablesManager) SetupAndEnsureForwardRules(ctx context.Context, } } -func (nftm *NFTablesManager) SetupAndEnsureMasqRules(ctx context.Context, flannelIPv4Net, prevSubnet ip.IP4Net, - prevNetworks []ip.IP4Net, - flannelIPv6Net, prevIPv6Subnet ip.IP6Net, - prevIPv6Networks []ip.IP6Net, +func (nftm *NFTablesManager) SetupAndEnsureMasqRules(ctx context.Context, flannelIPv4Net, prevSubnet, prevNetwork ip.IP4Net, + flannelIPv6Net, prevIPv6Subnet, prevIPv6Network ip.IP6Net, currentlease *lease.Lease, resyncPeriod int) error { if !flannelIPv4Net.Empty() { diff --git a/pkg/trafficmngr/nftables/nftables_windows.go b/pkg/trafficmngr/nftables/nftables_windows.go index b66034b5b7..99d940f3f6 100644 --- a/pkg/trafficmngr/nftables/nftables_windows.go +++ b/pkg/trafficmngr/nftables/nftables_windows.go @@ -37,10 +37,8 @@ func (nftm *NFTablesManager) SetupAndEnsureForwardRules(ctx context.Context, flannelIPv4Network ip.IP4Net, flannelIPv6Network ip.IP6Net, resyncPeriod int) { } -func (nftm *NFTablesManager) SetupAndEnsureMasqRules(ctx context.Context, flannelIPv4Net, prevSubnet ip.IP4Net, - prevNetworks []ip.IP4Net, - flannelIPv6Net, prevIPv6Subnet ip.IP6Net, - prevIPv6Networks []ip.IP6Net, +func (nftm *NFTablesManager) SetupAndEnsureMasqRules(ctx context.Context, flannelIPv4Net, prevSubnet, prevNetwork ip.IP4Net, + flannelIPv6Net, prevIPv6Subnet, prevIPv6Network ip.IP6Net, currentlease *lease.Lease, resyncPeriod int) error { log.Error(trafficmngr.ErrUnimplemented) diff --git a/pkg/trafficmngr/trafficmngr.go b/pkg/trafficmngr/trafficmngr.go index 99f401c4c5..5487320aa5 100644 --- a/pkg/trafficmngr/trafficmngr.go +++ b/pkg/trafficmngr/trafficmngr.go @@ -51,10 +51,8 @@ type TrafficManager interface { // SetupAndEnsureMasqRules starts a go routine that // rewrites these rules every resyncPeriod seconds if needed SetupAndEnsureMasqRules(ctx context.Context, - flannelIPv4Net, prevSubnet ip.IP4Net, - prevNetworks []ip.IP4Net, - flannelIPv6Net, prevIPv6Subnet ip.IP6Net, - prevIPv6Networks []ip.IP6Net, + flannelIPv4Net, prevSubnet, prevNetwork ip.IP4Net, + flannelIPv6Net, prevIPv6Subnet, prevIPv6Network ip.IP6Net, currentlease *lease.Lease, resyncPeriod int) error } From fecfe80a9112fceffefa3eaa4e1b48c0e7b39fcf Mon Sep 17 00:00:00 2001 From: Thomas Ferrandiz Date: Wed, 20 Mar 2024 14:17:10 +0000 Subject: [PATCH 2/3] go mod tidy --- go.sum | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/go.sum b/go.sum index 055145ddef..32212b42ba 100644 --- a/go.sum +++ b/go.sum @@ -776,8 +776,8 @@ k8s.io/klog/v2 v2.120.1 h1:QXU6cPEOIslTGvZaXvFWiP9VKyeet3sawzTOvdXb4Vw= k8s.io/klog/v2 v2.120.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 h1:+70TFaan3hfJzs+7VK2o+OGxg8HsuBr/5f6tVAjDu6E= k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280/go.mod h1:+Axhij7bCpeqhklhUTe3xmOn6bWxolyZEeyaFpjGtl4= -k8s.io/utils v0.0.0-20230220204549-a5ecb0141aa5 h1:kmDqav+P+/5e1i9tFfHq1qcF3sOrDp+YEkVDAHu7Jwk= -k8s.io/utils v0.0.0-20230220204549-a5ecb0141aa5/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +k8s.io/utils v0.0.0-20221107191617-1a15be271d1d h1:0Smp/HP1OH4Rvhe+4B8nWGERtlqAGSftbSbbmm45oFs= +k8s.io/utils v0.0.0-20221107191617-1a15be271d1d/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= From 323f51ef18fe533cb704e2e8ad2fb90299556d37 Mon Sep 17 00:00:00 2001 From: Thomas Ferrandiz Date: Wed, 20 Mar 2024 15:04:40 +0000 Subject: [PATCH 3/3] fix merge issue --- pkg/trafficmngr/iptables/iptables.go | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/pkg/trafficmngr/iptables/iptables.go b/pkg/trafficmngr/iptables/iptables.go index c6688302ce..f440c91045 100644 --- a/pkg/trafficmngr/iptables/iptables.go +++ b/pkg/trafficmngr/iptables/iptables.go @@ -108,14 +108,6 @@ func (iptm *IPTablesManager) SetupAndEnsureMasqRules(ctx context.Context, flanne resyncPeriod int) error { if !flannelIPv4Net.Empty() { - //Find the cidr in FLANNEL_NETWORK which contains the podCIDR (i.e. FLANNEL_SUBNET) of this node - prevNetwork := ip.IP4Net{} - for _, net := range prevNetworks { - if net.ContainsCIDR(&prevSubnet) { - prevNetwork = net - break - } - } // recycle iptables rules only when network configured or subnet leased is not equal to current one. if prevNetwork != flannelIPv4Net && prevSubnet != currentlease.Subnet { log.Infof("Current network or subnet (%v, %v) is not equal to previous one (%v, %v), trying to recycle old iptables rules", @@ -133,14 +125,6 @@ func (iptm *IPTablesManager) SetupAndEnsureMasqRules(ctx context.Context, flanne go iptm.setupAndEnsureIP4Tables(ctx, iptm.masqRules(flannelIPv4Net, currentlease), resyncPeriod) } if !flannelIPv6Net.Empty() { - //Find the cidr in FLANNEL_IPV6_NETWORK which contains the podCIDR (i.e. FLANNEL_IPV6_SUBNET) of this node - prevIPv6Network := ip.IP6Net{} - for _, net := range prevIPv6Networks { - if net.ContainsCIDR(&prevIPv6Subnet) { - prevIPv6Network = net - break - } - } // recycle iptables rules only when network configured or subnet leased is not equal to current one. if prevIPv6Network != flannelIPv6Net && prevIPv6Subnet != currentlease.IPv6Subnet { log.Infof("Current network or subnet (%v, %v) is not equal to previous one (%v, %v), trying to recycle old iptables rules",